HAProxy is a free, open-source software that provides a high availability load balancer and proxy server for TCP and HTTP-based applications. It is particularly suited for very high traffic web sites and powers quite a number of the world’s most visited ones. Setting up HAProxy on CentOS/RHEL (Red Hat Enterprise Linux) can enhance your network infrastructure by improving its performance and reliability.
This guide will walk you through the steps needed to install and configure HAProxy on CentOS/RHEL 9/8.
Prerequisites
- A CentOS/RHEL 9/8 server
- A non-root user with sudo privileges
Step 1: Update Your System
Before installing any package, it’s a good practice to update your system’s package index. This ensures that you have the latest updates and security patches.
sudo dnf update
Step 2: Install HAProxy
HAProxy is available in the default CentOS/RHEL repositories. Install it using the following command:
sudo dnf install haproxy
Step 3: Configure HAProxy
After installation, the next step is to configure HAProxy to suit your needs. The main configuration file for HAProxy is /etc/haproxy/haproxy.cfg. You will need to edit this file with your configuration. Use a text editor like nano or vim to edit the file:
sudo nano /etc/haproxy/haproxy.cfg
Basic Configuration
Here’s a basic example configuration that sets up HAProxy as a load balancer for two web servers:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Update to use only TLS 1.3 and TLS 1.2
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
ssl-default-bind-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
bind *:80
# Enable TLS 1.3 and TLS 1.2 on HTTPS connections
bind *:443 ssl crt /etc/haproxy/certs/example.com.pem alpn h2,http/1.1
redirect scheme https if !{ ssl_fc }
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
use_backend static if url_static
default_backend app
backend static
balance roundrobin
server static1 192.168.1.101:80 check
server static2 192.168.1.102:80 check
backend app
balance roundrobin
cookie SERVERID insert indirect nocache
server app1 192.168.1.103:80 check cookie app1
server app2 192.168.1.104:80 check cookie app2
listen stats
bind *:8080
stats enable
stats uri /haproxy?stats
stats hide-version
stats auth admin:admin
This configuration tells HAProxy to listen on port 80 for incoming HTTP traffic (frontend http_front), and balance the load between two backend servers (backend http_back) using the round-robin algorithm.
The stats uri /haproxy?stats line enables the stats page on the /haproxy?stats URL, where you can view useful statistics about your HAProxy server.
Save and Exit
After configuring HAProxy to your liking, save the file and exit the text editor.
Step 4: Enable and Start HAProxy
With HAProxy configured, the next step is to enable it to start on boot and then start the service immediately:
sudo systemctl enable haproxysudo systemctl start haproxy
To ensure that HAProxy is running, you can check its status with:
sudo systemctl status haproxy
Step 5: Adjust Firewall Settings
If you have a firewall enabled, you’ll need to allow traffic through the port that HAProxy is listening on. For example, to allow traffic on port 80, you can use:
sudo firewall-cmd --permanent --add-port=80/tcpsudo firewall-cmd --permanent --add-port=443/tcpsudo firewall-cmd --reload
Conclusion
You have successfully installed and configured HAProxy on your CentOS/RHEL 9/8 server. HAProxy is now set up to distribute incoming network traffic across your backend servers, increasing the reliability and performance of your application. Don’t forget to regularly check the HAProxy stats page to monitor its performance and make adjustments as needed.